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SEpiST/^ /HQFORJf - 

FEDERAL. BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 08/22/2011 

To: Norfolk 


Prom: Norfolk 



Title: -ten SUSPICIOUS ACTIVITY THAT RELATES TO GLOBAL 

STRATEGIES GROUP (NORTH AMERICA) INC.; 


Synopsis: (U) To close case. 



Details: (U) In December 2010, SA I conducted research into 

the two links provided in the suspicious email: 

http://news.bbc.co.uk/2/hi/middle east/2988455.stra and 

http: // www.ionathanforeman.com/military/nvp_iracr/04192003 chest.h 

trol . Research identified that both links go to legitimate sites 

documenting the discovery of a "$700 Million Treasure Chest" by 

the U.S. military in Iraq and that both links have been used for 

years in connection with known spam emails. 


(U) Since December 2010, FBI Norfolk has not received 
any other complaints from this victim concerning suspicious 
emails. With the conclusion of all investigative research into 
this suspicious email and the lack of a n exus to spear phishing, 
malicious code, | | it is recommended that 

this case be closed. 











Date; 01/14/2011 


Precedence: ROUTINE 


From; Norfolk 

Squad 10 
Contact j SA 


Approved By: 



Drafted By: 
Case ID #: 
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(U> Titles 


SUSPICIOUS ACTIVITY THAT RELATES TO GLOBAL 


STRATEGIES GROUP {NORTH AMERICA) INC.; 



Synopsis: (U) To document continued research conducted on 

suspicious email. 



On 12/13/2010, SA| 


Details; (U) On 12/13/2010, SA| |recei ved an email from 

| | for Global Strategies 

Group {North America) Inc. also known as Global Defense 
Technology & Systems, Inc. (GTEC) regarding a new s uspicious 
email received by a GTEC employee, 1 I o n 12/11/2010 . 

This email appears to have been sent from lieutenant! | 

f ' | All of the 

text in the email is contained in the subject ime, which reads: 
«I am| I an officer of the U.S Army. I am on the move 

to Afghanistan from Iraq as the last batch just left and have 
some items I will need to ship to yo u. Can you be trusted?” 

This email was m arked a s spam by the I I email account. 

Iinformed I ~| that the email contained one blocked image 

that contains the actual message, wh ich is at _ 

https://img.web.de/v/p.gif. Neither l [ accessed 

this message. 

(U) | ~~| included the email header information which 

upon review identified the originating Internet Protocol (IP) 
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FEDERAL BUREAU OF 


Precedence: ROUTINE Date; 12/14/2010 

To; Norfolk 
Prom: Norfolk 



Title;SUSPICIOUS ACTIVITY THAT RELATES TO GLOBAL 
STRATEGIES GROUP (NORTH AMERICA) INC.; 


Synopsis: (U) To document continued research conducted on 

suspicious email. 



Details: (U) On 12/14/2010, SA 


[ 


received an email from 

]for Global Strategies 


Group (North America) Inc. also known as Global Defense 
Technology & Systems, Inc. (GTEC) containing the header 
information for the suspicious email received by a GTEC employee 
on 11/16/2010. This email appears to have been sent from _ 


L 


explained that the GTEC employee that received the email, 
received it at his old work email account, 


| is not familiar with the 
account. SFA is the former name of 


GTEC, and ail of their old email accounts are still active 


(U) A review of the email header information 
identified 59.185.102.44 as the originating Internet Protocol 
(IP) address for this email. Multiple IP look ups Identified 
that this IP belongs to Mahanagar Telephone Nigam Ltd (MTNL-AP), 
located in Mumbai, India. 
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FEDERAL. BUREAU OF INVESTIGATION 


Precedence; ROUTINE Date; 12/13/2010 

To: Norfolk 


From; Norfolk 



(U) Title: SUSPICIOUS ACTIVITY THAT RELATES TO GLOBAL 

STRATEGIES GROUP {NORTH AMERICA) INC.; 


Synopsis: (U) To document x-esearch conducted on suspicious 

email. 
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Details; (U) On 12/13/2010, SA | 1 searched Automa ted Case 
Support (ACS) > and conducted google searches regarding] 


« 



1 
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Precedences ROUTINE Date: 11/24/2010 

To: Norfolk 


From: Norfolk 

Squad 10 
Contact: SA 


Approved By: 


13 *- 


Drafted 
Case ID 



#: (U) 


(U) Title:(Y) SUSPICIOUS ACTIVITY THAT RELATES TO GLOBAL 

STRATEGIES GROUP {NORTH AMERICA) INC.: 
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b6 

b7C 
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Synopsis: (U) To document research into suspicious email and 

contact with victim company 





America} Inc. also known as Glo bal Defense Techno logy & Systems, 
Inc. (GTEC) at office telephone ! ~| 


(U) 


noted that GTEC has not received, any other 


emails and nothing further has come from this incident, 
also read part of the Defense Security Service 


investigative report on this matter, which identified that this 
email was analyzed and does not app ear to be connected with any 


intelligence collection activities. _ 

any additional suspicious emails to SA 
this case 


Jvolunteered. to forward 
for the duration of 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence : ROUTINE 

To: Norfolk 

From: Norfolk 

Squad 10 
Contact: SA 


Date: 10/21/2010 

Attn: Squad 10 


Approved By: 
Drafted By: [ 


Id j d 


Case XD #: 
Title: 
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SUSPICIOUS ACTIVITY THAT RELATES TO GLOBAL 
STRATEGIES GROUP (NORTH AMERICA) INC.; 


Synopsis: (U) To open a Full Investigation. 



Details: (U) On 08/31/2010,1 with Defense Security 

Service (DSS) notified FBI Norfolk via email of a suspicious 
contact report concerning Glgfe&l Strategies Group {North America) 
Inc. also known as ,Globa r^^en8e... .!re.chn o lo< jry & Systems, Inc. 
(GTEC) . GTEC is located flat 760 .Lynnhaven Parkway, Suite 2 00, 
Virginia Beach,. VA 2^4"§2 . 
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(U)[ 


lwith office telephone 


receiv ed an email on 08/23/2010, from[ 


and email: 


that 


]for GTEC. This email identified 


] 


stating that someone whom[ 


an employee w ith GTEC, received an email 
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]works with left office keys at 
the bar. The email included a link which the s ender stat ed 

contained a picture of the found keys. Neither_nor 

anyone else at GTEC clicked on the link. 


(U) The o riginal em ail, dated 8/20/2010 at 11:18PM, 
appears to come from _ 

fmailtol | The link included in 

the emarT'd'BT"TiTtpV? ! 7itWWTTdhpiatf orm. com/cgi -bin/'arp3/arp3 - 
t,pl?1^140&c=1904402. 
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To Be Returned □ Yes <0 No 

Receipt Given D Yes 0 No 

Grand Jury Material - Disseminate Only Pursuant to Rule 6 (e) 
Federal Rules of Criminal Procedure 

□ Yes 0 No 

Federal Taxpayer Information (FTI) 

□ Yes B No 

Title; 

jtN - j ; 




(Communication Enclosing Material) 


C 

E 















































































































ALL INFORMATION CONTAINED 
HEREIN IS UNCLASSIFI1 
DATE 07-31-2019 BYI 


Monday. December 13, 2010 8:53 AM 


FW: Suspicious Emai 


Subject: 


with Microsoft SMTPSVC(6.0.3790.4675); 


Below, at the very bottom is a suspicious email forwarded to me from one of my employees working remote 
from his home l I 

There are a couple of email exchanges here, as you'll see, because the entire email is contained in the subject 
line. This concerned me, so I emailed him back to check if there were any blocked items or attachments that 
came with the email. He responded back with an image link that had been blocked. I went ahead and had 
him send me the expanded headers to save time if it turns out this is something that needs further 
investigation. I have included them below. Please let me know if you need any additional information. 

Internet Headers Version 2.0 _ 

gnavbmXl.gna.Iocal ([172.16.2.55]) by | 

11 Dec 2010 13:42:56 -0500 

ismtpl.gtec-lnc.com (172.16,4.2) by gnamcmxl.gna.ioca! 

IllllMicrosoft SMTP Server id S.T.436,0; Sat, 11 Dec 20 


an officerx>f the U,S'Anpiy. I am on the move to 
aq as the last batch just left and have some itefns I 
you. Can you be trusted? 
html; ch£rset="l)TF-8” 
fer-Encoding: 7bit 
rmal 

ID:V01U2FsdGVkX1/sY1zy1xXSfOejehGVF0bDq1bLj7pZCml0vd7PLT3P7aOs9IZAccb/ 

+VmoPzYeWs33Eg== 

Barracuda-Connect: fmmailgate09.web.de[217 72 192 184] 

X-Barracuda-Start-Time: 1292092975 
X-Barracuda-URL: http://172.16.4.2:8000/cni-mod/mark.coi 
X-Virus-Scanned: by bsmtpd at gtec-inc.com 
X-Barracuda-Bayes: INNOCENT GLOBAL 0.4827 1.0000 0 0000 
X-Barracuda-Spam-Score: 1.05 

X-Barracuda-Spam-Status: No, SCORE=1.05 using global scores of TAG LEVEL=1 6 QUARANTINE LEVEL=2 2 Kll l l fvfi -o k 
tests=HTML_MESSAGE, HTML_MIME_NO_HTML_TAG, M!ME_HTML_ONLY UUAKAN 1 'NE_LEVEL 2.2 KILL_LEVEL-2.6 

X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.49140 
Rule breakdown below 
pts rule name description 


on MIME_HTML_ONLY BODY: Message only has text/html MIME parts 
0.00 HTML_MESSAGE BODY: HTML included in message 

y d HTML MiMEJsJOjHTMLJTAG HTML-only message, but there is no HTML tag 

A-rrionty. 5 (Lowest) . 

























X-MSMail-Priority: Low 
Importance: Low 
X-Barracuda-Spam-Flag: YES 
Return-Path: col47@iramll.co.cc 

X-OriginalArrivalTime: 11 Dec 2010 18:42:56.0818 (UTC) FILETIME=[3A3E8920:01CB9963] 


ource 


<body bgcolor="#ffffff" backeround=" https://img.web.de/v/p.gif " class="bgRepeatYes" style="background-repeat: 
repeat; background-color: rgb(255 ; 255, 255); color: rgb(0, 0, 0); font-family: verdana,geneva; font-size: 9pt; padding- 
left: 0px;"><div style="min-height: 200px; background-image: url( https://img.web.de/v/p.gif ); background-repeat: 
repeat; background-color: #ffffff; font-family: verdana,geneva; font-size: 9pt; padding-left: 0px;"xspan style="font-size 
9pt;"xspan style="font-family: verdana,geneva;"xspan style-'background-color: transparent;"xspan style="color: 
#000000;"xspan style-'color: # 000000 ;">&nbsp;</spanx/spanx/spanx/spanx/spanx/divx/body> 
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~| an officer of the U.S Army. I am on the move to Afghanistan from Iraq as the 
some items I will need to ship to you. Can you be trusted? 

tng the link. I will forward this along With your previous email to DSS. 


| an officer of the U.S Army. I am on the move to Afghanistan from Iraq as the 
items I will need to ship to you. Can you be trusted? 


ie email. I'm not exactly sure what I'm doing, but I think this is the link that 


I forward it to you? 












I22 •:«3gjlgggig 




This is the entire email? No links or anything? 


www.atec-inc.com 


Sent: Monday, December 13, 2010 7:26 AM 

Subiect: FW: rSPAM]1 am| |an officer of the U.S Army. 1 am on the move to Afghanistan from Iraq as the 

last batch just left and have some items I will need to ship to you. Can you be trusted? 


.merica) Inc 


il Defense Technology & Systems Company (NASDAQ: GTEC) 

n-Critical Solutions for National Security 


If you have received this message in error, please contact the sender immediately and be aware that the use, copying, or dissemination of this 
information is prohibited. This email transmission contains information from Global Defense Technology & Systems, Inc. that may be considered 
privileged or . confident i a l- and is intended solely for the named recipient. 


From: lieutenant|_ 

Sent: Saturday, December 11, 2010 1:43 PM 


_Ian officer of the U.S Army. I am on the move to Afghanistan from Iraq as the Iasi 

:ems i will need to ship to you. Can you be trusted? 


Subject: [SPAM] I am 













